Re: [FC8] ssh and CAC card???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jeff Krebs wrote, On 12/04/2007 08:00 PM:
* Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote:
 From what I understood, the change to openssh listed in:
 rpm -q --changelog  openssh  |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@xxxxxxxxxx> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the shipped Fedora 8 ssh.

As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does not help at all, and `man ssh-add` points to `ssh-add -s reader`
# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1

So does anyone know how to use the possible functionality, or are we reduced to reading the source?


There is a link:

http://www.nabble.com/ssh-and-CAC-t2483281.html

Look at the next to the last email in that thread... yep that's me.


with some information.

You have the SmartCard setup working under Linux?

Yes, well _had_ in FC[1457].
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8

But Red Hat believes that known to be working (and documented) solutions are bad:
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11
so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh instead. (I will comment more on this when I get done doing minimal testing on Alon's patches to
http://www.openvpn.net
http://gnupg-pkcs11.sourceforge.net/
As we (DoD) need all of these to work, and apparently Alon has had them working for over a year now, considering the date on the mail you pointed to. At least the twists they did to pam_pkcs11 worked, even if they did not update the documentation to explain how to make it work. I was fortunately on another mailing list where someone had posted a quick how to get it to sort of work.)


My real problem here is that I am trying to work with what the distribution has (RH's NSS), instead of dropping back and punting Alon and my patches into yet another version of the distro which would mean I have to support it each time a new fedora ssh patch is released.



What reader are you using? I've tried the ActiveCard v2.0 USB to no avail. Actually, this is known not to work, but I had to try anyway :)


SCM SCR331 firmware 5.18
there is newer firmware that makes the SCR331 perform full length CCID transfers (needed for the PIV applet), and I intend to update the whole batch we have after I test a few.

BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to effectively make it act as an SCR, or so I have read, YMMV. I highly suggest researching the change before doing it though, and I think at ~$20 a new SCRx31 or gemplus reader are easier to deal with. (So I suppose if you consider the ActiveCard reader a door stop anyway, you would not loose anything if you burn it out in the attempt to update the firmware).

I should have an Athena USB reader coming my way soon. Hopefully that will allow use with FireFox.
Assuming Athena USB reader is CCID Compliant http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant then at least the CAC, through pcscd and CoolKey can be made to work with pam_pkcs11 and Mozilla products.

Hope this helps you.

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux